New CIRCIA Bill and the 3 Steps Financial CIOs Can Take to Prepare
Attitudes toward cybersecurity responsibility are shifting worldwide. Impacts of successful breaches can be seen across the globe, challenging nearly every public and private industry. The financial services sector needs to be especially vigilant and prepare ahead of time for upcoming regulation changes that could further impact incident reporting procedures.
Earlier this year, Costa Rica declared a state of emergency after its Finance Ministry was targeted in a ransomware attack carried out by the group known as Conti. The ransomware hold brought the country to its knees for nearly a month, with more than 27 infrastructure-supporting institutions unable to fully operate. This attack limited the country’s ability to collect taxes, froze payroll for thousands of public employees, and even paralyzed foreign trading. Costa Rica’s troubles could be linked almost directly to shortcomings of the previous administration; underinvestment in cybersecurity and insufficient incident reporting.
This is just one of many “worst-case-scenarios” we’ve seen over the last few years as attackers set their sights on larger, more critical infrastructure targets than ever before.
Signed into law in March of this year in the US, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires critical infrastructure companies, such as those in the financial services sector, to report cybersecurity incidents like ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. With these upcoming changes to regulation in the US specifically, now is the time to get a jump-start on not only protecting your company’s best interests, but also the country’s financial infrastructure as a whole. Here are 3 things CISOs and CIOs in the financial industry can do right now to protect their sensitive data and prepare for upcoming changes in regulation:
1. Enforce due diligence questionnaires for vendors
Knowing how your information – and your customers’ information – is protected when it’s outside of your internal system is vital to keeping that data out of the hands of malicious actors. Would you send your child to a daycare without first checking their credentials? CISOs and CIOs need to treat their data the same way they would their most valued assets – ensure they’re in trusted hands at all times, and that there are procedures in place to adequately handle emergencies.
2. Keep an eye on foreign cybersecurity legislation
The EU, India, and others are already far ahead of the US in terms of high-level cybersecurity regulation and reporting procedures. India’s newest CERT-In regulations, passed in April 2022, enforce much stricter reporting and recordkeeping guidelines than ever before. Organizations are required to report incidents within 6 hours of identification and maintain IT communications records for 180 days. If these new regulations are proven to deliver positive results, it may not be long until other countries like the US begin adopting similar reporting guidelines.
3. Start keeping detailed logs of data breaches now
Enforcement of CIRCIA begins in March of 2024, but now is the time to get ahead of the learning curve and begin keeping better tabs on your cybersecurity posture. If you aren’t yet keeping detailed records of threats to your business’s network security, it is imperative that you start doing so immediately. The best way to keep your organization’s data and reputation secure is by being prepared to demonstrate compliance and report breaches at a moment’s notice.
If you need help building a disaster recovery plan, have questions about best practices when writing an information security policy, or if you aren’t sure where to start, Thrive’s vCISOs are here to help. Reach out to a member of our expert cybersecurity team today for a free consultation.
Note from the author: